BOSTON – The Chief Information Security Officer for Intermountain Health, Northwell Health and Renown Health shared insights and guidance on how to prioritize third-party management during the 2022 HIMSS Cybersecurity Forum.
Instead of focusing on a very data-specific view of third-party risk data, Erik Decker, assistant vice president and CISO at Intermountain Healthcare, opened up the third-party risk management panel by placing hypothesized and focused participants on the critical nature of the healthcare provider’s third-party services mission.
“It’s not too complicated [advanced persistent threats]National actors are spending exorbitant amounts of resources getting into your organization,” he said.
“The reality is the lack of basic controls, some basic hygiene, and some basic issues that we thought we covered, but in reality we might not have mentioned. access.”
Decker features Northwell Health’s Kathy Hughes CISO and Renown Health’s Steven Ramirez CISO.
Axis and considerations
If third-party providers that are critical to the delivery of health care stop working, it could have a profound impact on the care delivery function.
“I think we also need to pivot to thinking about the state of the matter,” says Decker.
While electronic health records are clearly an important third-party system, there are medical devices that require cloud computing where compromises on those systems would make sense. clinical.
There are also third parties that provide core services – syringes, laundry, medical equipment, etc.
“If they go down, how does that affect your hospital?” he asks.
Decker also cites the “Kronos effect” – the convergence of large providers that can impact care when they are attacked.
Because these large vendors offer innovative services that improve operations, “they become very targeted for maximum damage and maximum impact,” he said.
There are also branches with back-end access that increases the attack surface.
From trading to continuous monitoring
Hughes warns that the usual process of supplier risk management analysis – asking the right questions to get a risk profile – is a “snapshot in no time”.
The collection of information about third-party risk management programs is based on the type of data the organization will empower or allow the provider to assist them with, along with the amount of data, the number of users, the location of the data, what is the use case, what device or system is involved, etc.
Analyzing the risk of conflict “because it does it for a large amount of time” and it identifies vulnerabilities, “it’s still a very manual and labor-intensive process,” she said. .
According to Ramirez, to address the transactional nature of the assessment, a more holistic approach tailored to the language of business impact analysis begins with capital planning.
“If we can get ahead of the table and look at our high-risk suppliers, high-risk processes, then we can start putting those extra controls in place,” he said. to avoid the domino effect.
Having one or two or three potential vendors in those discussions can help bring continuity into the business impact analysis process.
Hughes says that establishing inter-departmental relationships is essential to communicating risk, “because there’s no such thing as no risk, there’s always some degree of tolerance.”
The partnership helps people understand what the risks are, she said.
“It’s really about trying to make that process as smooth as possible.”
Maintaining face-to-face discussions with key stakeholders helps keep pace with the changes that develop over time with new vendors, suppliers, and interdependent relationships, adds Ramirez. together.
Expand the risk assessment process
“When we did these hundreds of thousands of reviews, that resulted in hundreds of thousands of issues that we saw and found, which means you have to manage hundreds of thousands of different things,” Decker said.
Hughes said the organization will negotiate with that supplier to get a commitment to comply with their standards and put that commitment into the contract language.
“Overall, that would reduce residual risk from medium or high to low – if they meet those commitments,” she said, adding that suppliers must meet commitments on certain dates that the organization tracks and tracks on .
“Typically, we find that providers are very receptive because they know that all healthcare organizations are asking the same questions and are only really looking to protect systems and data. .”
Vulnerability teams also monitor insurers’ outward-facing scorecards looking at a healthcare organization’s perimeter cybersecurity and inferring internal controls, Ramirez said. provides a starting point for developing maturity.
“It’s one component of the bigger picture,” he says, but those risk scores provide an opportunity to drive more optimization.
Hughes noted that the risk tags that cyber insurers rely on are also reviewed by the threat actors who are reviewing them.
“They’ll be targeting organizations that are probably not secure,” she notes.
Decker asked if organizations are devoting resources to correcting supplier inaccuracies, is it really time adding value?
Healthcare organizations share thousands of providers, he said, and will have some of the same questions in the risk assessment process.
If healthcare organizations can enroll their critical providers, and other healthcare organizations conducting risk assessments of those providers have something “on”, Such a “community service delivery” system could reduce risk assessment processes, Decker suggested.
Building a cybersecurity culture
Tailoring clinical care to the business, Hughes said a separate business continuity crisis management team with various departments reviews their shutdown procedures.
“They didn’t think for weeks and months,” she said.
She advises to make sure plans are available and that alternative providers are identified and implemented.
Ramirez says desk exercises are essential and he likes to take advantage of breaks to study – “why shouldn’t something work out well?” – and then emphasize the points of failure.
“If you’re looking for a place to start, I recommend sketching your lab, pharmacy, and EMR images,” says Decker. “And consider how you’re going to get out of that over a month, what that looks like and what solutions you need to be ready to stand up for.”
He also showed attendees of the Health Sector Coordinating Council’s Guide to Healthcare Cybersecurity Supply Chain Risk Management, which he chairs, for more third-party risk management guidance. father.
Andrea Fox is the senior editor of Healthcare IT News.
Email: [email protected]
Healthcare IT News is a publication of HIMSS.
